Introduction
Source Code Review is the analysis of the source code of an application to find underlying security vulnerabilities. Source code review could be conducted for any software application; however, source code review is commonly performed for web-based applications and mobile applications in the industry. This blog is mainly written considering web applications in the front. The other term or vocabulary used for this area is source code analysis (SCA). Hence both nomenclatures will be used interchangeably.
Source Code Review vs. Pentesting
The difference between source code review and penetration testing will be explained by using a web-based application. Web applications pass through development desks take their route towards deployment desks in which they are deployed on any publically available server. The view of web applications on the development desk is software or source code. The look of web applications on deployment desks is a web application service accessible to its users from web browsers. Source Code Review belongs to the development desk concept, and security experts will be provided with web applications source code for conducting Source Code Review exercises. On the other hand, penetration testing belongs to the deployment desk concept, in which security experts test web applications from web-based interfaces.
Source code review is considered a white box assessment since complete source code is in front of security experts. In comparison, penetration testing can be either a black box or a white box. If the web application is provided without login credentials, then penetration testing will qualify under black-box testing. If login credentials are provided, then penetration testing will be classified under white-box assessment categories.
Both these services will eventually help identify security vulnerabilities in web applications which is an ultimate requirement for business owners. It must be understood that these services are complementary, and experience has proved that some vulnerabilities are easy to identify using penetration testing, which may be challenging to identify using source code review and vice versa. Code reviews are generally more expensive than penetrating testing as they require considerably more time.
Source Code Review Categories
SAST and DAST are commonly used in industrial cybersecurity literature, referred to as static application security testing and dynamic application security testing. It must be understood that both of these terms define two categories of source code review. In SAST, source code is tested without being deployed and effectively running. In DAST, the application is deployed in an environment similar to production. Then testing is conducted using different techniques, which vary upon the type and development platform of the applications.